Here are 5 non-technical preventive measures to reduce the risk of a cyber-attack.
1.) Security Policies and Procedures
In alignment with NIST 800-171, entities should implement, document, and regularly assess and update policies as a set of rules and principles adopted for ease of governance within an organization. Policies including, but not limited to Information Security, Asset Management, Vendor Management, Disaster Recovery/Business Continuity, and Physical Security should be developed and maintained.Policies and procedures provide guidelines for acceptable use of technology resources which allows staff to know and understand expectations, and sets rules and guidelines for decision making and approvals.
How do you know if you are on the right track?
ALL the above-referenced policies and/or procedures are documented and reviewed annually for changes to processes and or staffing. Any changes occurring prior to the annual review period are updated immediately. Any changes to policies, directly affecting the organization, are communicated. The latest versions of Policies and Procedures should be always be readily available either through a policy portal or upon request.
2.) Annual Security Awareness & Training Programs
Approximately 85 – 90% percent of all cyber-attacks can be attributed to the human element. Implementing, embracing, and championing security training programs creates a proactive security culture. All organizations should establish and maintain a continuous, regularly-scheduled security awareness program to influence behavior among the workforce to be security conscious and adequately skilled to reduce cybersecurity risks. The purpose of a security awareness program is to educate the district’s workforce on how to interact with district assets and data in a secure manner. When completed by all employees at least annually, it helps all employees learn to prevent possible attacks to minimize the risk of losing Personally Identifiable Information (PII) and/or Personal Health Information (PHI) data. Periodic Phishing Tests teach employees to be aware of possible malicious emails, instruct how to report phishing attempts when they occur, and identify the areas in most need of training throughout the district.
How do you know if you are on the right track?
Trainings incorporate relevant topics related to the district and, at the very least, include topics such as phishing, smishing, vishing, data handling, tailgating, and any other topics that may be identified in an annual cybersecurity risk assessment. Phishing exercises are conducted regularly, designated staff reviews the results, and results are shared with management.
3.) Access Control Management
The district should use documented processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for district assets and software. The processes, preferably automated, for granting or revoking access, should be role-based and established through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Role-based access protects critical data/information by limiting employee access to only the data they require. Multi-Factor Authentication (MFA) prevents unauthorized users from gaining access to systems and sensitive data.
How do you know if you are on the right track?
MFA is enabled and mandated for all critical and confidential district and/or third-party applications, remote network access, and all administrative accounts. Access control reviews of district assets are performed to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
4.) Service Provider Management Program
Districts should develop a formal program to evaluate service providers, prior to contract and annually, who hold sensitive data or are responsible for the organization’s critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately. This can be achieved by establishing and maintaining an inventory of service providers, having a service provider management policy, and assessing and monitoring service providers. This allows school districts to track suppliers and provide the data needed to identify supplier risks to take the necessary steps to mitigate them or choose an alternative vendor. Risk assessments should be performed on service providers prior to contract, and annually, to assess the risk to the district.
How do you know if you are on the right track?
Service provider contracts include security requirements. These may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the district’s service provider management policy so it is best to review the service provider contracts annually to ensure contracts are not missing security requirements.
Service providers are securely decommissioned upon termination. Some considerations include user and service account deactivation, termination of data flows, and secure disposal of district data within service provider systems.
5.) Physical Security Controls
Districts should implement and maintain an electronic system that controls the ability of people or vehicles to enter a protected area by means of authentication and authorization at access control points. This can entail implementing a policy and/or procedure which documents enabling and disabling access to any or all locations throughout each building, implementing physical access authorizations to employees by position and role, restricting unescorted access by guests, and monitoring physical access to sensitive areas.
How do you know if you are on the right track?
All secure areas are protected by appropriate entry controls (preferably key card access) to ensure that only authorized personnel are allowed access. Physical access reviews are performed periodically. Access cards are disabled immediately for terminated employees. Lost or stolen access cards are disabled timely.
These all can be readily achieved. In addition to the controls above, keep up to date by subscribing to cybersecurity alerts and/or news feeds.
This article was also featured in our newsletter Lesson Plan Vol. 26